static isc_result_t
pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
dst_key_t *pub)
{
CK_RV rv;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_RSA;
CK_ATTRIBUTE searchTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_LABEL, NULL, 0 }
};
CK_ULONG cnt;
CK_ATTRIBUTE *attr;
CK_ATTRIBUTE *pubattr;
pk11_object_t *rsa;
pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
if (label == NULL)
return (DST_R_NOENGINE);
rsa = key->keydata.pkey;
pubrsa = pub->keydata.pkey;
rsa->object = CK_INVALID_HANDLE;
rsa->ontoken = ISC_TRUE;
rsa->reqlogon = ISC_TRUE;
rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
if (rsa->repr == NULL)
return (ISC_R_NOMEMORY);
memset(rsa->repr, 0, sizeof(*attr) * 2);
rsa->attrcnt = 2;
attr = rsa->repr;
attr->type = CKA_MODULUS;
pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
attr->ulValueLen = pubattr->ulValueLen;
attr++;
attr->type = CKA_PUBLIC_EXPONENT;
pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
if (attr->pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
attr->ulValueLen = pubattr->ulValueLen;
ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
if (ret != ISC_R_SUCCESS)
goto err;
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL, rsa->slot);
if (ret != ISC_R_SUCCESS)
goto err;
attr = pk11_attribute_bytype(rsa, CKA_LABEL);
if (attr == NULL) {
attr = pk11_attribute_bytype(rsa, CKA_ID);
INSIST(attr != NULL);
searchTemplate[3].type = CKA_ID;
}
searchTemplate[3].pValue = attr->pValue;
searchTemplate[3].ulValueLen = attr->ulValueLen;
PK11_RET(pkcs_C_FindObjectsInit,
(pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
DST_R_CRYPTOFAILURE);
PK11_RET(pkcs_C_FindObjects,
(pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
DST_R_CRYPTOFAILURE);
(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
if (cnt == 0)
DST_RET(ISC_R_NOTFOUND);
if (cnt > 1)
DST_RET(ISC_R_EXISTS);
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
if (key->engine == NULL)
DST_RET(ISC_R_NOMEMORY);
}
key->label = isc_mem_strdup(key->mctx, label);
if (key->label == NULL)
DST_RET(ISC_R_NOMEMORY);
pk11_return_session(pk11_ctx);
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
return (ISC_R_SUCCESS);
err:
if (pk11_ctx != NULL) {
pk11_return_session(pk11_ctx);
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
}
return (ret);
}
static isc_result_t
pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin)
{
CK_RV rv;
CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_RSA;
CK_ATTRIBUTE searchTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_LABEL, NULL, 0 }
};
CK_ULONG cnt;
CK_ATTRIBUTE *attr;
pk11_object_t *rsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
unsigned int i;
UNUSED(pin);
rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
if (rsa == NULL)
return (ISC_R_NOMEMORY);
memset(rsa, 0, sizeof(*rsa));
rsa->object = CK_INVALID_HANDLE;
rsa->ontoken = ISC_TRUE;
rsa->reqlogon = ISC_TRUE;
key->keydata.pkey = rsa;
rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
if (rsa->repr == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(rsa->repr, 0, sizeof(*attr) * 2);
rsa->attrcnt = 2;
attr = rsa->repr;
attr[0].type = CKA_MODULUS;
attr[1].type = CKA_PUBLIC_EXPONENT;
ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
if (ret != ISC_R_SUCCESS)
goto err;
pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL, rsa->slot);
if (ret != ISC_R_SUCCESS)
goto err;
attr = pk11_attribute_bytype(rsa, CKA_LABEL);
if (attr == NULL) {
attr = pk11_attribute_bytype(rsa, CKA_ID);
INSIST(attr != NULL);
searchTemplate[3].type = CKA_ID;
}
searchTemplate[3].pValue = attr->pValue;
searchTemplate[3].ulValueLen = attr->ulValueLen;
PK11_RET(pkcs_C_FindObjectsInit,
(pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
DST_R_CRYPTOFAILURE);
PK11_RET(pkcs_C_FindObjects,
(pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
DST_R_CRYPTOFAILURE);
(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
if (cnt == 0)
DST_RET(ISC_R_NOTFOUND);
if (cnt > 1)
DST_RET(ISC_R_EXISTS);
attr = rsa->repr;
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, hKey, attr, 2),
DST_R_CRYPTOFAILURE);
for (i = 0; i <= 1; i++) {
attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
if (attr[i].pValue == NULL)
DST_RET(ISC_R_NOMEMORY);
memset(attr[i].pValue, 0, attr[i].ulValueLen);
}
PK11_RET(pkcs_C_GetAttributeValue,
(pk11_ctx->session, hKey, attr, 2),
DST_R_CRYPTOFAILURE);
keyClass = CKO_PRIVATE_KEY;
PK11_RET(pkcs_C_FindObjectsInit,
(pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
DST_R_CRYPTOFAILURE);
PK11_RET(pkcs_C_FindObjects,
(pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
DST_R_CRYPTOFAILURE);
(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
if (cnt == 0)
DST_RET(ISC_R_NOTFOUND);
if (cnt > 1)
DST_RET(ISC_R_EXISTS);
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
if (key->engine == NULL)
DST_RET(ISC_R_NOMEMORY);
}
key->label = isc_mem_strdup(key->mctx, label);
if (key->label == NULL)
DST_RET(ISC_R_NOMEMORY);
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
DST_RET(ISC_R_RANGE);
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
pk11_return_session(pk11_ctx);
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
return (ISC_R_SUCCESS);
err:
pkcs11rsa_destroy(key);
if (pk11_ctx != NULL) {
pk11_return_session(pk11_ctx);
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
}
return (ret);
}
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
CK_ATTRIBUTE sTemplate[] =
{
{ CKA_LABEL, label, (CK_ULONG) sizeof(label) },
};
CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
CK_ULONG found = 0;
pk11_context_t pctx;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
int c, errflg = 0;
unsigned int count = 1000;
unsigned int i;
struct timespec starttime;
struct timespec endtime;
while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
break;
case 'p':
pin = isc_commandline_argument;
break;
case 'n':
count = atoi(isc_commandline_argument);
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr,
"\tfind [-m module] [-s slot] [-p pin] [-n count]\n");
exit(1);
}
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
if (pin != NULL)
memset(pin, 0, strlen((char *)pin));
hSession = pctx.session;
if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
perror("clock_gettime(start)");
goto exit_objects;
}
for (i = 0; !error && (i < count); i++) {
rv = pkcs_C_FindObjectsInit(hSession, sTemplate, 1);
if (rv != CKR_OK) {
fprintf(stderr,
"C_FindObjectsInit[%u]: Error = 0x%.8lX\n",
i, rv);
error = 1;
break;
}
rv = pkcs_C_FindObjects(hSession, &sKey, 1, &found);
if (rv != CKR_OK) {
fprintf(stderr,
"C_FindObjects[%u]: Error = 0x%.8lX\n",
i, rv);
error = 1;
/* no break here! */
}
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr,
"C_FindObjectsFinal[%u]: Error = 0x%.8lX\n",
i, rv);
error = 1;
break;
}
}
if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
perror("clock_gettime(end)");
goto exit_objects;
}
endtime.tv_sec -= starttime.tv_sec;
endtime.tv_nsec -= starttime.tv_nsec;
while (endtime.tv_nsec < 0) {
endtime.tv_sec -= 1;
endtime.tv_nsec += 1000000000;
}
printf("%u object searches in %ld.%09lds\n", i,
endtime.tv_sec, endtime.tv_nsec);
if (i > 0)
printf("%g object searches/s\n",
1024 * i / ((double) endtime.tv_sec +
(double) endtime.tv_nsec / 1000000000.));
exit_objects:
pk11_return_session(&pctx);
pk11_shutdown();
exit(error);
}
